New DPIA on Microsoft Office and Windows software: still privacy risks remaining (short blog)
On behalf of the Dutch Ministry of Justice and Security, Privacy Company has investigated the privacy risks related to the use of Microsoft Windows 10 Enterprise, Office 365 ProPlus and Office Online, as well as the mobile Office apps. With the Ministry’s permission, we are publishing two blog posts about our findings: this short blog post as well as a long blog post. For questions about the research, please contact SLM Rijk (Strategisch Leveranciersmanagement Microsoft Rijk), which can be contacted via the Ministry of Justice’s press spokesperson, +31 (0)70 370 73 45.
New privacy terms and conditions for the Dutch central government
At the beginning of May 2019, SLM Rijk and Microsoft concluded negotiations about new privacy terms and conditions for the 300,000 digital workplaces of the central Dutch government. These are the corporate versions of the Office and Windows 10 software, which are used by the ministries, the Tax and Customs Administration, the police, the judiciary, and independent administrative bodies. Three new DPIAs (Data Protection Impact Assessments, written in English), which Privacy Company has carried out for the central government, show that Microsoft has solved the eight previously identified privacy risks for Office 365 ProPlus (the desktop version). Microsoft has mitigated these risks through a combination of technical, organisational, and contractual measures. See the previous blog post about these risks. In a recent letter to the Dutch House of Representatives, the results of the negotiations that SLM Rijk has conducted with Microsoft are listed: Microsoft only acts as a data processor for all its online services, processes the personal data for only three purposes, does not process the usage data for profiling, data analytics, market research or advertisements, and grants effective audit rights to the central Dutch government.
Measures taken in Microsoft Office 365 ProPlus
In recent months, Microsoft has globally implemented a large number of technical and organisational measures to reduce the privacy risks identified for Office 365 ProPlus. Since May 2019, Microsoft has been publishing extensive documentation on the diagnostic data relating to the use of Office ProPlus. Microsoft has adapted its existing Data Viewer Tool for Windows 10 to also display the Office 365 ProPlus telemetry data. This allows data subjects to view the Office ProPlus data that Microsoft collects from their device.
Since May 2019, Microsoft has been offering a large number of frequently used Connected Experiences such as the spelling checker, the translation module, and the Office help function as a processor, and no longer as a data controller. There are 14 Connected Experiences for which Microsoft remains the controller (the additional Connected Experiences), but Microsoft enables system administrators of Office ProPlus to centrally disable the use of these Controller Connected Experiences. Centrally disabling these services avoids the risk of Microsoft asking the employees for consent to collect data about the use of these services, while consent is not a valid legal basis for this data processing.
Since the release of the Office 365 ProPlus version 1904, as made available by Microsoft on 29 April 2019, Microsoft has also built in a choice for system administrators to minimize the telemetry level. Microsoft offers three options: Required, Optional, and Neither.
No improvements for Windows 10 Enterprise, Office Online and the mobile apps
Microsoft has not yet implemented these improvements in Office Online (the version of the software that runs in a browser) and the mobile Office apps (the apps that can be installed on iOS and Android smartphones and tablets). The Dutch government’s new privacy terms and conditions do not (yet) apply to data processing via Windows 10 Enterprise or the mobile Office apps. It is not possible to minimize data traffic in Office Online. From at least three of the mobile apps on iOS, data about the use of the apps goes to a US-American marketing company that specializes in predictive profiling. This is done without providing any information about the purposes of this processing, and without giving the users or administrators any possibility to prevent this processing.
SLM Rijk therefore advises government agencies to, for the time being, refrain from using Office Online and the mobile Office apps and to opt for the lowest possible level of data collection in Windows 10, called Security. If the government institutions’ system administrators also follow the other recommendations from the DPIA reports, there will no longer be any known high privacy risks for the institutions.
However, the government will continue to negotiate with Microsoft in order to bring Windows 10 Enterprise and the mobile apps within the scope of the new privacy terms, and to implement the same technical improvements for Office Online.
What can organisations do that are not part of the central Dutch government?
Companies and organisations outside the central Dutch government must take high privacy risks into account when using Office 365 ProPlus, Office Online, the mobile Office apps, and Windows 10 Enterprise. They can take a number of mitigating measures themselves, but in order to really remove the high risks, they should turn to Microsoft – preferably via a professional association – in order to negotiate privacy guarantees similar to those of the national Dutch government. It would do no harm to refer to the European Data Protection Superviser’s ongoing investigation of the contract terms that Microsoft offers to European institutions. Apart from that, organisations could also carry out their own DPIA, based on the reports from the government, and submit the residual risks to the Data Protection Authority, as referred to in Article 36 of the GDPR.
Measures that can be taken by the organisations themselves include:
- Upgrade to version 1905 or higher of Office 365 ProPlus and set the telemetry level to the 'Neither' option.
- Make use of the possibility to prohibit the use of the Controller Connected Experiences in Office 365 ProPlus (disable additional Connected Experiences).
- Disable the Customer Experience Improvement Program (CEIP) in Office ProPlus.
- Disable LinkedIn integration for Microsoft employee accounts in Office ProPlus.
- Establish policies to warn employees not to use the mobile Office apps and the Controller Connected Experiences in Office Online until the remaining five high risks have been mitigated.
- Choose the lowest, minimum level of diagnostic data collection in Office Online and the mobile apps as soon as technically possible.
- Update the internal privacy policy for handling employee personal data with specific information about for which purposes and under which circumstances the organisation may view different types of diagnostic data from Microsoft's different services and products.
- Perform DPIAs prior to using Workplace Analytics and Activity Reports in the Microsoft 365 admin center and before employees can use MyAnalytics and Delve.
- Consider the use of Customer Lockbox and Customer Key, depending on the sensitivity of the content data.
- Upgrade to version 1903 of Windows 10 Enterprise to use Intune with Securitytelemetry.
- Set the telemetry level in Windows 10 Enterprise to Security, or block telemetry traffic and do not allow users to synchronize their activities via the Timeline functionality.
- Take into account changes in the validity of data transfer tools (such as the EC Standard Contractual Clauses) following future case law of the European Court of Justice. It is up to the European Court of Justice to assess the risks of mass surveillance in the United States and up to the European legislator to reduce the remaining risks of transmitting diagnostic data from the EU to the US.
The how and why of these recommendations is explained in the three separate DPIAs for SLM Rijk. See also the extensive Dutch summaries of the reports on Office 365 ProPlus, Office Online and the mobile apps, and Windows 10 Enterprise.
Privacy Company has also published a long blog with the highlights of these three reports.
